Limit SSH node security group to Bastion IP

gardener-attic · Aug 13, 2020 · 3a65cda · 3a65cda
1 parent a215dad
commit 3a65cda
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/pkg/cmd/ssh_aws.go b/pkg/cmd/ssh_aws.go
@@ -194,7 +194,7 @@ func (a *AwsInstanceAttribute) createBastionHostSecurityGroup() {
 	fmt.Println("Bastion host security group set up.")
 
 	// add shh rule to ec2 instance
-	arguments = fmt.Sprintf("aws ec2 authorize-security-group-ingress --group-id %s --protocol tcp --port 22 --cidr 0.0.0.0/0", a.SecurityGroupID)
+	arguments = fmt.Sprintf("aws ec2 authorize-security-group-ingress --group-id %s --protocol tcp --port 22 --cidr %s/32", a.SecurityGroupID, a.BastionIP)
 	captured = capture()
 	operate("aws", arguments)
 	_, err = captured()
@@ -336,7 +336,7 @@ func (a *AwsInstanceAttribute) cleanupAwsBastionHost() {
 
 	// remove shh rule from ec2 instance
 	fmt.Println("  (2/3) Close SSH Port on Node.")
-	arguments = fmt.Sprintf("aws ec2 revoke-security-group-ingress --group-id %s --protocol tcp --port 22 --cidr 0.0.0.0/0", a.SecurityGroupID)
+	arguments = fmt.Sprintf("aws ec2 revoke-security-group-ingress --group-id %s --protocol tcp --port 22 --cidr %s/32", a.SecurityGroupID, a.BastionIP)
 	captured = capture()
 	operate("aws", arguments)
 	capturedOutput, err = captured()